CVE-2025-46490: 
WordPress vulnerability analysis and mitigation

An Unrestricted Upload of File with Dangerous Type vulnerability was identified in wordwebsoftware's Crossword Compiler Puzzles WordPress plugin, tracked as CVE-2025-46490. The vulnerability was discovered by researcher astra.r3verii and publicly disclosed on April 25, 2025. This security flaw affects all versions of Crossword Compiler Puzzles through version 5.2, allowing authenticated users with subscriber-level privileges to upload a web shell to the web server (Patchstack, MITRE CVE).

The vulnerability has been assigned a CVSS score of 9.9 (High), indicating its critical severity. The security flaw is classified as an Arbitrary File Upload vulnerability under the OWASP Top 10 category A3: Injection. The vulnerability requires subscriber-level privileges to exploit, suggesting that while authentication is required, the barrier to exploitation is relatively low (Patchstack).

This vulnerability is considered highly dangerous and is expected to become mass exploited. The arbitrary file upload capability could allow malicious actors to upload any type of file to the affected website, including backdoors that can be executed to gain further access to the website's systems. The high CVSS score of 9.9 reflects the significant potential impact of successful exploitation (Patchstack).

The vulnerability has been fixed in version 5.3 of the Crossword Compiler Puzzles plugin. Users are strongly advised to update to version 5.3 or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).